Configuring Single Sign-On (SSO)
Single sign-on enables multiple applications to share user sign-on information, rather than requiring each application to have separate user sign-on. Applications using single sign-on authenticate the user one time, and the authentication information is propagated to all other involved applications.
Single sign-on applies to Web applications configured for the same realm and virtual server.
Note: Single sign-on uses an HTTP cookie to transmit a token that associates each request with the saved user identity, so it can be used only when the browser client supports cookies.
Single sign-on operates according to the following rules:
- When a user accesses a protected resource in a Web application, the server requires the user to authenticate himself or herself, using the method defined for that Web application.
- Once authenticated, the Application Server uses the roles associated with the user for authorization decisions across all Web applications on the virtual server, without challenging the user to authenticate to each application individually.
- When the user logs out of one Web application (explicitly, or because of session expiration), the user’s sessions in all Web applications become invalid. Thereafter, the user is required to log in to access a protected resource in any application.
Single sign-on is enabled by default for the Application Server. To disable it or configure other properties, follow these steps.
- In the Admin Console tree component, expand the Configurations node.
- Expand the instance to configure:
- To configure a particular instance, expand the instance’s config node. For example, the default instance,
server
, expand the server-config
node.
- To configure the default settings for all instances, expand the
default-config
node.
- Expand the HTTP Service node.
- Expand the Virtual Servers node, and select the virtual server to be configured for single sign-on support.
- Click Add Property.
A blank property entry is added to the bottom of the list.
- Enter
sso-enable
in the Name field.
- Enter
false
in the Value field to disable, enter true
to enable SSO. SSO is enabled by default.
- Add or change any other single sign-on properties by clicking Add Property and configuring any applicable SSO properties. Valid SSO properties are discussed in Table 0-42.
Table 0-42 Virtual Servers SSO Properties
Property Name
|
Description
|
Values
|
sso-max-inactive-seconds
|
Number of seconds after which a user’s single sign-on record becomes eligible for purging, if no client activity is received. Access to any of the applications on the virtual server keeps the single sign-on record active.
|
Default is 300 seconds (5 minutes). A higher value provides longer persistence for users, but consumes more memory on the server.
|
sso-reap-interval-seconds
|
Interval (in seconds) between purges of expired single sign-on records.
|
Default is 60.
|
- Click Save.
- Restart the Application Server if Restart Required displays in the console.
Legal Notices